If I understood it correctly, you cant to verify the certificate by OCSP, which might not be enabled by default on NGINX but could be changed to this behavior. Regarding the Original NGINX Documentation.
- Enables verification of client certificates. The verification result is stored in the $ssl_client_verify variable. (ON/off)
ssl_verify_client on;
- Enables OCSP validation of the client certificate chain. The leaf parameter enables validation of the client certificate only. (on/off/leaf)
ssl_ocsp on;
- Force Using a specific DNS-Resolver
resolver 192.168.2.1;
- Overrides the URL of the OCSP responder specified in the “Authority Information Access” certificate extension for validation of client certificates. I.e., if you run your own OCSP Distribution Site, or need to use a specific one.
ssl_ocsp_responder http://ocsp.example.org;
Additionally & other
- Enables or disables verification of OCSP responses by the server.
ssl_stapling_verify on
Since it's unclear which side should be verified, I'm going for a more general approach.
Remember, that as i read correctly, all configration-Parameters can be added into the Server section that affects all sub locations, so you will need only to configure it once for this.
A Generic Configuration could look like this example
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/your/certificate.pem;
ssl_certificate_key /path/to/your/private-key.pem;
ssl_ocsp on;
ssl_verify_client on;
resolver 192.168.2.1;
location / {
proxy_pass http://your_upstream_server;
}
}
If you need to use a specific Certificate for verification i would suggest (taken from serverfault
# Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
# The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used.
ssl_client_certificate /etc/nginx/client_certs/ca.crt;
ssl_verify_client on;
ssl_stapling on; #Yes this has to be configured to use OCSP
resolver 192.0.2.1;
which would lead to this example configuration:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/your/certificate.pem;
ssl_certificate_key /path/to/your/private-key.pem;
ssl_ocsp on;
ssl_verify_client on;
ssl_client_certificate /etc/nginx/client_certs/ca.crt;
ssl_stapling on; #Yes this has to be configured to use OCSP
resolver 192.0.2.1;
location / {
proxy_pass http://your_upstream_server;
}
}
I hope i could help you with both ways.
p.I would greatly appreciate it if someone could edit this response to produce a more fluent and pleasant-sounding response. I am not particularly proficient in writing English.